[moderation] [fs?] KASAN: stack-out-of-bounds Read in __get_wchan
12 views
Skip to first unread message
syzbot
Aug 31, 2023, 12:07:00 PM8/31/23
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: ef21fa7c198e riscv: Fix build errors using binutils2.37 to..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=1708e49fa80000
kernel config: https://syzkaller.appspot.com/x/.config?x=211da8d05471d4f9
dashboard link: https://syzkaller.appspot.com/bug?extid=a8e090d99068eccb866e
compiler: riscv64-linux-gnu-gcc (Debian 12.2.0-13) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: riscv64
CC: [bra...@kernel.org linux-...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/a741b348759c/non_bootable_disk-ef21fa7c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7fec9c89e1bb/vmlinux-ef21fa7c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4740e1305d03/Image-ef21fa7c.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a8e090...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in walk_stackframe+0x120/0x2f2 arch/riscv/kernel/stacktrace.c:58
Read of size 8 at addr ff20000007197dd0 by task syz-executor.1/4116
CPU: 1 PID: 4116 Comm: syz-executor.1 Not tainted 6.5.0-rc1-syzkaller-00028-gef21fa7c198e #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000b0d8>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:121
[<ffffffff8354dab2>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:127
[<ffffffff8358d67a>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff8358d67a>] dump_stack_lvl+0xe8/0x154 lib/dump_stack.c:106
[<ffffffff83554c28>] print_address_description mm/kasan/report.c:364 [inline]
[<ffffffff83554c28>] print_report+0x1e4/0x4f4 mm/kasan/report.c:475
[<ffffffff8055c582>] kasan_report+0xf0/0x1b8 mm/kasan/report.c:588
[<ffffffff8055d7a6>] check_region_inline mm/kasan/generic.c:181 [inline]
[<ffffffff8055d7a6>] __asan_load8+0x80/0xa8 mm/kasan/generic.c:260
[<ffffffff8000ae74>] walk_stackframe+0x120/0x2f2 arch/riscv/kernel/stacktrace.c:58
[<ffffffff8000b286>] __get_wchan+0x1a0/0x270 arch/riscv/kernel/stacktrace.c:146
[<ffffffff800f2d8e>] get_wchan+0x5c/0x8e kernel/sched/core.c:2065
[<ffffffff807143fa>] proc_pid_wchan+0x132/0x186 fs/proc/base.c:395
[<ffffffff80715eba>] proc_single_show+0x9c/0x148 fs/proc/base.c:777
[<ffffffff80629a1c>] seq_read_iter+0x30a/0x8c6 fs/seq_file.c:230
[<ffffffff8062a0fa>] seq_read+0x122/0x176 fs/seq_file.c:162
[<ffffffff805bf05e>] vfs_read+0x1ec/0x5be fs/read_write.c:468
[<ffffffff805c0216>] ksys_read+0x104/0x226 fs/read_write.c:613
[<ffffffff805c0360>] __do_sys_read fs/read_write.c:623 [inline]
[<ffffffff805c0360>] sys_read+0x28/0x36 fs/read_write.c:621
[<ffffffff8000a0d2>] syscall_handler+0xfa/0x148 arch/riscv/include/asm/syscall.h:90
[<ffffffff8358ea42>] do_trap_ecall_u+0x9c/0x9e arch/riscv/kernel/traps.c:310
[<ffffffff80005b78>] ret_from_exception+0x0/0x64 arch/riscv/kernel/entry.S:102
The buggy address belongs to the virtual mapping at
[ff20000007190000, ff20000007199000) created by:
kernel_clone+0x118/0x854 kernel/fork.c:2912
The buggy address belongs to the physical page:
page:ff1c0000025113c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9444f
memcg:ff6000000f7cad82
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0ffe000000000000 0000000000000000 0000000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff ff6000000f7cad82
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 2934, tgid 2934 (syz-executor.0), ts 2582633220600, free_ts 2509802002300
__set_page_owner+0x32/0x18a mm/page_owner.c:192
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x8e/0xe4 mm/page_alloc.c:1570
prep_new_page mm/page_alloc.c:1577 [inline]
get_page_from_freelist+0x912/0x122c mm/page_alloc.c:3221
__alloc_pages+0x19c/0x1428 mm/page_alloc.c:4477
alloc_pages+0x126/0x252 mm/mempolicy.c:2279
vm_area_alloc_pages mm/vmalloc.c:3059 [inline]
__vmalloc_area_node mm/vmalloc.c:3135 [inline]
__vmalloc_node_range+0x838/0xec2 mm/vmalloc.c:3316
alloc_thread_stack_node kernel/fork.c:309 [inline]
dup_task_struct kernel/fork.c:1113 [inline]
copy_process+0x225a/0x3f1e kernel/fork.c:2330
kernel_clone+0x118/0x854 kernel/fork.c:2912
__do_sys_clone+0xe4/0x118 kernel/fork.c:3055
sys_clone+0x32/0x44 kernel/fork.c:3023
syscall_handler+0xfa/0x148 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x9c/0x9e arch/riscv/kernel/traps.c:310
ret_from_exception+0x0/0x64 arch/riscv/kernel/entry.S:102
page last free stack trace:
__reset_page_owner+0x4c/0xf8 mm/page_owner.c:149
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1161 [inline]
free_unref_page_prepare+0x420/0x5fc mm/page_alloc.c:2348
free_unref_page+0x5a/0x234 mm/page_alloc.c:2443
free_the_page mm/page_alloc.c:584 [inline]
__free_pages+0x102/0x124 mm/page_alloc.c:4566
vfree+0x14e/0x690 mm/vmalloc.c:2842
__vmalloc_area_node mm/vmalloc.c:3199 [inline]
__vmalloc_node_range+0xe18/0xec2 mm/vmalloc.c:3316
__vmalloc_node mm/vmalloc.c:3381 [inline]
vmalloc+0xa0/0xb6 mm/vmalloc.c:3414
kcov_remote_start+0x526/0x6e0 kernel/kcov.c:904
kcov_remote_start_common include/linux/kcov.h:48 [inline]
vhost_worker+0xec/0x14a drivers/vhost/vhost.c:410
vhost_task_fn+0x134/0x266 kernel/vhost_task.c:55
ret_from_fork+0xa/0x1c arch/riscv/kernel/entry.S:264
Memory state around the buggy address:
ff20000007197c80: f1 f1 f1 f1 04 f3 f3 f3 00 00 00 00 00 00 00 00
ff20000007197d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ff20000007197d80: f1 f1 f1 f1 00 f2 f2 f2 00 00 f3 f3 00 00 00 00
^
ff20000007197e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff20000007197e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: ef21fa7c198e riscv: Fix build errors using binutils2.37 to..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=1708e49fa80000
kernel config: https://syzkaller.appspot.com/x/.config?x=211da8d05471d4f9
dashboard link: https://syzkaller.appspot.com/bug?extid=a8e090d99068eccb866e
compiler: riscv64-linux-gnu-gcc (Debian 12.2.0-13) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: riscv64
CC: [bra...@kernel.org linux-...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/a741b348759c/non_bootable_disk-ef21fa7c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7fec9c89e1bb/vmlinux-ef21fa7c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4740e1305d03/Image-ef21fa7c.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a8e090...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in walk_stackframe+0x120/0x2f2 arch/riscv/kernel/stacktrace.c:58
Read of size 8 at addr ff20000007197dd0 by task syz-executor.1/4116
CPU: 1 PID: 4116 Comm: syz-executor.1 Not tainted 6.5.0-rc1-syzkaller-00028-gef21fa7c198e #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000b0d8>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:121
[<ffffffff8354dab2>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:127
[<ffffffff8358d67a>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff8358d67a>] dump_stack_lvl+0xe8/0x154 lib/dump_stack.c:106
[<ffffffff83554c28>] print_address_description mm/kasan/report.c:364 [inline]
[<ffffffff83554c28>] print_report+0x1e4/0x4f4 mm/kasan/report.c:475
[<ffffffff8055c582>] kasan_report+0xf0/0x1b8 mm/kasan/report.c:588
[<ffffffff8055d7a6>] check_region_inline mm/kasan/generic.c:181 [inline]
[<ffffffff8055d7a6>] __asan_load8+0x80/0xa8 mm/kasan/generic.c:260
[<ffffffff8000ae74>] walk_stackframe+0x120/0x2f2 arch/riscv/kernel/stacktrace.c:58
[<ffffffff8000b286>] __get_wchan+0x1a0/0x270 arch/riscv/kernel/stacktrace.c:146
[<ffffffff800f2d8e>] get_wchan+0x5c/0x8e kernel/sched/core.c:2065
[<ffffffff807143fa>] proc_pid_wchan+0x132/0x186 fs/proc/base.c:395
[<ffffffff80715eba>] proc_single_show+0x9c/0x148 fs/proc/base.c:777
[<ffffffff80629a1c>] seq_read_iter+0x30a/0x8c6 fs/seq_file.c:230
[<ffffffff8062a0fa>] seq_read+0x122/0x176 fs/seq_file.c:162
[<ffffffff805bf05e>] vfs_read+0x1ec/0x5be fs/read_write.c:468
[<ffffffff805c0216>] ksys_read+0x104/0x226 fs/read_write.c:613
[<ffffffff805c0360>] __do_sys_read fs/read_write.c:623 [inline]
[<ffffffff805c0360>] sys_read+0x28/0x36 fs/read_write.c:621
[<ffffffff8000a0d2>] syscall_handler+0xfa/0x148 arch/riscv/include/asm/syscall.h:90
[<ffffffff8358ea42>] do_trap_ecall_u+0x9c/0x9e arch/riscv/kernel/traps.c:310
[<ffffffff80005b78>] ret_from_exception+0x0/0x64 arch/riscv/kernel/entry.S:102
The buggy address belongs to the virtual mapping at
[ff20000007190000, ff20000007199000) created by:
kernel_clone+0x118/0x854 kernel/fork.c:2912
The buggy address belongs to the physical page:
page:ff1c0000025113c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9444f
memcg:ff6000000f7cad82
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0ffe000000000000 0000000000000000 0000000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff ff6000000f7cad82
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 2934, tgid 2934 (syz-executor.0), ts 2582633220600, free_ts 2509802002300
__set_page_owner+0x32/0x18a mm/page_owner.c:192
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x8e/0xe4 mm/page_alloc.c:1570
prep_new_page mm/page_alloc.c:1577 [inline]
get_page_from_freelist+0x912/0x122c mm/page_alloc.c:3221
__alloc_pages+0x19c/0x1428 mm/page_alloc.c:4477
alloc_pages+0x126/0x252 mm/mempolicy.c:2279
vm_area_alloc_pages mm/vmalloc.c:3059 [inline]
__vmalloc_area_node mm/vmalloc.c:3135 [inline]
__vmalloc_node_range+0x838/0xec2 mm/vmalloc.c:3316
alloc_thread_stack_node kernel/fork.c:309 [inline]
dup_task_struct kernel/fork.c:1113 [inline]
copy_process+0x225a/0x3f1e kernel/fork.c:2330
kernel_clone+0x118/0x854 kernel/fork.c:2912
__do_sys_clone+0xe4/0x118 kernel/fork.c:3055
sys_clone+0x32/0x44 kernel/fork.c:3023
syscall_handler+0xfa/0x148 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x9c/0x9e arch/riscv/kernel/traps.c:310
ret_from_exception+0x0/0x64 arch/riscv/kernel/entry.S:102
page last free stack trace:
__reset_page_owner+0x4c/0xf8 mm/page_owner.c:149
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1161 [inline]
free_unref_page_prepare+0x420/0x5fc mm/page_alloc.c:2348
free_unref_page+0x5a/0x234 mm/page_alloc.c:2443
free_the_page mm/page_alloc.c:584 [inline]
__free_pages+0x102/0x124 mm/page_alloc.c:4566
vfree+0x14e/0x690 mm/vmalloc.c:2842
__vmalloc_area_node mm/vmalloc.c:3199 [inline]
__vmalloc_node_range+0xe18/0xec2 mm/vmalloc.c:3316
__vmalloc_node mm/vmalloc.c:3381 [inline]
vmalloc+0xa0/0xb6 mm/vmalloc.c:3414
kcov_remote_start+0x526/0x6e0 kernel/kcov.c:904
kcov_remote_start_common include/linux/kcov.h:48 [inline]
vhost_worker+0xec/0x14a drivers/vhost/vhost.c:410
vhost_task_fn+0x134/0x266 kernel/vhost_task.c:55
ret_from_fork+0xa/0x1c arch/riscv/kernel/entry.S:264
Memory state around the buggy address:
ff20000007197c80: f1 f1 f1 f1 04 f3 f3 f3 00 00 00 00 00 00 00 00
ff20000007197d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ff20000007197d80: f1 f1 f1 f1 00 f2 f2 f2 00 00 f3 f3 00 00 00 00
^
ff20000007197e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff20000007197e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Nov 25, 2023, 10:58:17 AM11/25/23
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages